Are rogue cell towers snooping on your calls?

Graham Cluley
Graham Cluley
@[email protected]

Are rogue cell towers snooping on your calls?

The number of calls made from cell phones every day is absurd.

Let’s just say it exceeds the population of every country where residents have access to cell phones and be done with it.

Maybe that’s not true and maybe it is. The point is – the volume of calls made every day is overwhelming.
Despair is one way to describe my reaction to the news that some cell towers in the United States could be snooping on our calls.

Sign up to our free newsletter.
Security news, advice, and tips.

There are 17 bogus cellphone towers operating across the US that could be used to snoop on, and even hijack passing calls, texts and other communications, according to an article published in Popular Science last week.

Us map

The towers were discovered by defense and law enforcement technology provider ESD America, known for selling secured mobile phones that claim to detect mobile baseband hacking attempts. It also manufactured the CryptoPhone 500, a modified Galaxy S3 secured phone with firewall protection and end-to-end encryption of its baseband chip, running its own custom version of Android OS (minus the vulnerabilities the company says it found and removed).

Les Goldsmith, the CEO of ESD America, used the CryptoPhone 500 to detect 17 phoney cellphone towers around the United States during the month of July. Goldsmith labels fake cell towers “interceptors.” They’re also known as IMSI catchers.

“Interceptor use in the U.S. is much higher than people had anticipated,” he told Popular Science. “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip.”

How IMSI catchers work

Cellphones connect to cellular towers with the help of a baseband processor, a chip that controls radio signals transferred between the towers and the phones. Mobile phones seek out radio signals and connect to the nearest cell tower, and each phone has to prove its authenticity to the tower it is connecting to.

That’s where IMSI catchers, which are used by law enforcement agencies, collect the IMSI identification numbers of the SIM cards used in LTE and GSM phones. Cellphone towers nearby, regardless of whether the towers are fake or real, log the device’s IMSI.

The communications between the phone and the cellular tower are encrypted, but the encryption standard has to be determined by the tower, so it could go for no encryption.

With this strategy, a bogus tower with a stronger signal than nearby towers can force decryption on connecting devices. Bogus towers can therefore inject malware by attacking the baseband processor, or transfer the outgoing communications to legit networks and conduct man-in-the-middle attacks.

Who is behind these phoney towers?

Although the towers were discovered in July, the report implied that there have been more operating across the country. Goldsmith and his team drove by the government facility with one of their handsets, an iPhone and a Galaxy S4 as part of a test.

“As we drove by, the iPhone showed no difference whatsoever. The Samsung Galaxy S4, the call went from 4G to 3G and back to 4G. The CryptoPhone lit up like a Christmas tree,” Goldsmith said.

Warning message

The CryptoPhone’s baseband firewall triggered alerts that the phone’s encryption had been switched off and the cellular tower nearby didn’t have a name—a telltale indication of a rogue base station. Standard towers deployed by major carriers will have a name but interceptors are often unnamed.

The tower also forced the CryptoPhone from 4G to 2G, an old protocol that makes it easy to decrypt on the spot. The iPhone and Galaxy S4 didn’t even show that they were under the same attack.

Although it was unclear who these towers belong to, ESD found several of them located near U.S. military bases.

“Whose interceptor is it? Who are they, that’s listening to calls around military bases? Is it just the U.S. military, or are they foreign governments doing it? The point is: we don’t really know whose they are,” said Goldsmith.

It’s not the NSA – the agency can tap any number of calls without requiring bogus towers, VentureBeat said:

Not the NSA, cloud security firm SilverSky CTO/SVP Andrew Jaquith told us. “The NSA doesn’t need a fake tower,” he said. “They can just go to the carrier” to tap your line.

Goldsmith thinks this wasn’t the work of hacker gangs, given the expense involved in accessing some of the locations where the towers are based. The technology is not trivial, too. Phones have a different OS for using the baseband processor, a chip acting as the middleman between the cell towers and the device’s OS.

Broadcom, Intel and other popular baseband chip manufactures keep baseband details under tight control, making it a long stretch for most hackers.

An unnamed American expert speaking to The Register put forward a more casual explanation:

“It is most probable that these sites are to allow coverage to groups of people that are not in a conventional coverage area (such as paying customers in a casino, or military groups),” the source said. “I would suggest that university campus areas may do the same.”

Goldsmith didn’t reveal GSMK CryptoPhone 500’s price or sales figures, but an MIT Technology Review puts the retail price of the handset at an eye-watering $3,500.

I don’t see baseband firewall alerts coming to modern handsets anytime soon. So let’s just root for the FCC task force to get to the bottom of these bogus towers, as they really need to find out who is setting them up.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.